Organizations around the world are facing a level of economic instability not seen since the beginning of the COVID-19 pandemic. Each day brings with it new announcements of mass layoffs, missed earnings, and slower-than-expected economic growth. Undoubtedly, the suppliers, vendors and other third-parties that your organization relies on to deliver services and products to its customers will also be affected by these economic conditions, which can result in them decreasing IT security spending, laying off staff or shifting their strategy. If not properly managed, these relationships can introduce risk to business outcomes.
With this much uncertainty, now is the time to invest in making your third-party risk management (TPRM) program recession-proof in 2023. Indeed, economic hardships can improve TPRM, forcing teams to rethink their programs and embrace more efficient, effective, and scalable solutions to reducing third-party risk.
Outsource Third-Party Risk Management Tasks to Address Staffing Shortages
Recession-driven layoffs aren’t the only labor-related challenges to be concerned about. A skilled labor shortage in IT continues to drive up salaries and greater numbers of employees are burning out which is driving a trend called quiet quitting. Regardless of the driver, fewer resources on hand to manage IT security, data privacy, or other essential business functions can open gaps for disgruntled former employees or savvy cyber attackers to exploit.
Since your organization must assess third-party risks — perhaps with fewer resources — consider outsourcing the time consuming tactical tasks of managing vendor relationships, leaving your team to manage and remediate the resulting risks instead of tracking down contacts, documentation, or risk assessments. Let’s examine a few use cases that demonstrate how outsourcing can help maintain a focus on TPRM.
TPRM specialists can help your team choose the right type of assessment or customize one based on your organization’s goals and regulatory requirements. As well, outsourced TPRM specialists can create and manage assessment schedules on your team’s behalf, freeing their time to focus on more impactful tasks.
Chasing vendor responses tends to be the most time-consuming part of TPRM as vendor contacts come and go over time, vendor priorities are fluid, and results can be inconsistent. Outsourcing the chasing and tracking of responses, as well as reviewing responses for accuracy and consistency will naturally enable your team to focus on higher-value activities such as analysis and remediation of risks.
Fourth and Nth party management
Keeping track of your extended software supply chain during healthy economic cycles is challenging enough, but with fewer resources available prioritizing the examination of potential upstream risks is nearly impossible. Outsourcing TPRM will shift that work to risk management specialists who can create relationship maps based on business dependencies and attributes, providing your team with new levels of visibility into potential service disruptions.
Continuous monitoring for emerging risks
Security and data privacy assessments are essential to understanding the internal controls that your third-party vendors and suppliers have in place, but they tend to be conducted at the time of a new vendor’s onboarding and periodically thereafter. As we have repeatedly seen, new cybersecurity risks and vulnerabilities can emerge and impact organizations quickly which is why it’s critical to continuously monitor for risks. If the team is unable to keep up with basic assessments, continuous monitoring only adds to the workload. Outsourcing this function keeps the focus on emerging threats.
As the number of third-party security incidents continues to increase, your organization will be exposed to more risks. Even if your organization has a thorough incident management process in place, the urgency of supply chain security incidents (such as SolarWinds or Kaseya), may require immediate actions and an understaffed team will not be able to react fast enough. Outsourcing exposure assessments to TPRM specialists will improve mean time to resolution and accelerate remediation efforts.
Outsourcing with an annual fixed contract enables better control on budget as you can wage-proof your program in a period of skills shortages, inflation, and general uncertainty. This of course also helps to retain critical staff by offloading repetitive and often tiresome workloads; to reserve your team for critical and impactful activities.
Consolidate Overlapping Toolsets to Reduce Costs and Close Risk Gaps
If your security team is like most others, then you’re likely leveraging multiple, sometimes overlapping, toolsets to deliver data and insights on cybersecurity risks. The inherent challenge with that approach is the integration work required to make sense of it all. That’s expensive, usually requiring outside resources to tie it all together — not to mention the cost of the licenses themselves. And if that integration work can’t be completed effectively, your organization can miss out on necessary context into risks.
When it comes to monitoring third-party risks, this problem increases exponentially. A consolidated cybersecurity risk monitoring approach yields much better economies of scale, improves efficiency, and reduces coverage gaps.
If your organization is going into 2023 with flat or decreased budgets, consider a third-party risk monitoring strategy that consolidates external cybersecurity data from multiple sources, including data breach databases; criminal forums; onion pages; Dark Web special access forums; threat feeds; paste sites for leaked credentials; security communities; code repositories; and vulnerability databases.
The benefits of a more consolidated approach to third-party risk monitoring extend beyond cost savings and efficiency gains to include:
- Enabling coordinated action based on whether findings validate assessment results
- Integrating best-of-breed data feeds for each dimension of risk, closing gaps in coverage
- Centralizing vendor communications to see remediations through to conclusion
Get Your Own House in Order to Improve Efficiencies
Even before considering whether to outsource or consolidate tools, gauge your team’s ability to address third-party risks and optimize your processes accordingly. Look at your existing TPRM program and its supporting practices, policies and processes, including answering the following questions:
- Roles and responsibilities: Is there a RACI chart in place to identify responsible parties in the assessment, management and remediation of third-party risks?
- Vendor coverage: Has your organization profiled, tiered and categorized all of its third-party vendors and suppliers, and does it have an established due diligence process in place that corresponds to those tiers?
- Assessment content: Does your organization have a preferred IT controls framework to report third-party risks against? For example, if you are a NIST or ISO shop, are you assessing third-party IT security and data privacy controls against those frameworks?
- Remediation planning: Does your organization have processes in place to triage risks and enforce remediations? What are the criteria for accepting risks? What about compensating controls?
- Program governance: Is there a risk committee or steering group in place to provide oversight and input to the TPRM program? What type of reporting is required for the Board, executives and line of business teams? Is the program audited regularly?
Because of how the current economic environment can result in increased third-party vendor and supplier risks, now is the time to lean into third-party risk management — not after a major cyberattack occurs. This additional focus, however, should be balanced against your organizational realities of potentially reduced security budgets, staffing shortages and shifting business priorities. To maintain your organization’s focus on third-party risk, outsource lower-level tasks to experts, consolidate tools to save money, and make sure your processes are running as efficiently as possible.
Given the ever-increasing number of third-party data breaches and vendor disruptions, your organization can’t afford to let economic conditions — even a potential recession — distract it from ensuring business resilience.